A server may control access to a protected resource. In order for a computer user to access the protected resource using a computer, the computer user may be required to enter a username and a one-time use passcode (OTP) which changes over time (e.g., periodically, after each use, etc.) into the computer which conveys the username and the OTP to the server to authenticate the computer user (e.g., in a web-based exchange). To obtain the OTP, the computer user may be required to manually read and type in the OTP from a display of an authentication token in the computer user's possession (e.g., a hardware token, a soft token installed on the computer user's smartphone, etc.).
When the server receives the username and the OTP from the computer user, the server either grants or denies access to the protected resource. In particular, if the OTP provided by the computer user matches an OTP which is expected for the computer user, authentication is considered successful and the server permits the computer user to access the protected resource. However, if the OTP provided by the computer user does not match the expected OTP (e.g., the OTP provided by the computer user is incorrect or stale), authentication is considered unsuccessful and the server denies access to the protected resource.